Search code examples
amazon-web-servicesamazon-elastic-beanstalkamazon-elb

Using On-Premise Server for AWS Load Balancer

I have a Elastic Beanstalk application on AWS.

I want to use my on-premise server to share the load of my EC2 instance such that my on-premise server is the primary server and the EC2 instance(s) launched by Elastic LoadBalancer (ELB) are backups.

I have successfully created a client VPN endpoint (cvpn) with 10.0.0.34 ip. When I add this ip to load balancer as Registered Target, Health Status says Request Timed Out. I notice that there is no route table entry to my 10.0.0.0/24 CVPN ip's. In short, ELB cannot reach the subnet of my CVPN. The CVPN resource ID cannot be added in route table to provide access to the CVPN subnet.

Questions:

  1. Is it true that ELB cannot access computers on CVPN subnet?
  2. Is Site-to-Site VPN and DirectConnect the only options for my intended use case (other than leaving AWS ecosystem)?
  3. For Site-to-Site VPN, is it true that it will require a monthly cost of US$400 just for the Private CA? Plus any traffic data it costs

Cheers

Follow-up Following nickdoesstuff's comment, I successfully setup and connected a site-to-site VPN on AWS

After entering IP and choosing static routing, it no longer prompts me for a private CA cert.

I briefly experimented with Azure and here is a comparison with AWS

Azure Pros:

  1. More well-defined pricing structure (6 or 7 tiers) with clear spec - BUT basic tier is very limited
  2. on-premise site can use DDNS because you can enter fully qualified domain name FQDN as location of client gateway address

AWS Pros: 0. client gateway must have a static ip. if it changes you have to re-do the entire setup on AWS side, you cannot just edit the client gateway setting.

  1. Much faster creation of gateway (wait 1 minute vs wait 30+ minutes on Azure)
  2. full feature, low-cost basic tier
  3. by default, AWS gives you two ip's to connect to, which provides redundancy. However, it may be difficult to setup (and is not supported by Ubiquiti dream machine)
  4. More "Downloadable Configuration" to choose from. AWS has pfSense and strongSwan configuration "files" which are more like a guide than an actual file you can download and overwrite system file with.

It is still miles better than Azure, which lets you do the hardwork of finding out the precise wording of dozens of parameters...

Solution

    1. You cannot use ELB with CVPN

    2. You can use them with Site-2-Site and Direct Connect

    3. You do not necessarily need certificate-based authentication for S2S VPN. You could set it up with pre-shared keys, which alleviates the need for CA.

      3.a. If using a cert-based authentication is non-negotiable you could use an on-premises CA (like CA running on Microsoft Domain Controller) to sign the certificates.

    Hope this helps.